Recently in Security Information Management Category

Yesterday at the Security Awareness for 2010 ISACA meeting in Philadelphia John Raezer delivered a welcomed presentation on Risk Management Effectiveness.

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.

Related articles by Zemanta

• Are You Ready to Implement a Supply Risk Solution? (spendmatters.com)
• ISA chairman assures nation: Your data is safe (go.theregister.com)

According to IT World Canada ,
A Microsoft-employed forum moderator had other advice. "For the people who installed [the update but] cannot start the computer normally, it is better to wait for the next stability and reliability update," said Arthur Li on Feb. 1. "Since there are thousands of different hardware and software configurations, it is hard for Microsoft to test the updates on all the different hardware and software configurations."

Microsoft Support

If there is one thing that makes everyone kind of nervous is the instability of new operating systems being deployed in the enterprise, with IE having control issues, there would be a concern that the OS would also have stability problems.

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

• Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

• Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

HP Software Universe 2009

Last day here at HP Universe in Hamburg, talking about integrating Information Security Management more closely into the enterprise architecture and the system development life cycle. Enterprise Frameworks including the new NIST guideline for Special Publication 800-37 Rev. 1 and six step Risk Management Framework, highlights ITIL V3 and COBIT 4.1 frameworks call for information security to be closely aligned with the enterprise for effective Risk Management.

We have been talking about the new Standards and Guidelines concerning the harmonization of IT and Information Security Governance. With netForensics Sim One, information security management enterprise software, HP uCMDB, and HP Operations Manager Software integration, we can provide the proof that IT Operations Management and Information Security Management are working on the same vision of Domain Services for continual monitoring of enterprise services providing IT Operations and Information Security the ability to monitor the effectiveness of the control environment, promoting near real-time risk management.

If your looking for solutions to help you manage risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, we already have it.

The mission and function of the task force will be to provide advice to the Attorney General for the investigation and prosecution of cases of banks, mortgage, loan, lending fraud; securities and commodities fraud, mail and wire fraud, retirement fraud, tax crimes, false claims, unfair competition, discrimination, and other financial crimes and violations.

Federal Register Executive Order 13519--Establishment of the Financial Fraud Enforcement Task Force

Bankinfosecurity.com's article outlines the comments made by the Attorney Generals Office:

"That the nation faces unprecedented challenges in responding to the financial crisis that has gripped the economy for the past year. Mortgage, securities and corporate fraud schemes have eroded the public's confidence in the nation's financial markets and have led to a growing sentiment that Wall Street does not play by the same rules as Main Street."

Recently in the Brazilian Power outage events, even an implied weakness in the controls of Critical Infrastructure could be used to destabilize the financial stability in markets, subverting the controls that are involved in financial trading. There have been conflicting reports about whether the attack was caused by an attack on the controls of its Dam's systems. Employees and Contractors of the system complained that their pay checks and statements had been modified to include a message from the attackers.

With all of this talk on financial fraud and critical infrastructure vulnerabilities, I could not help but be reminded of the 1983 movie Superman III where Robert Vaughn's character sites "Computers rule the world today and the fellow that rules the computer, rules the world." and Richard Pryor hacking into secret defense systems to ruin the coffee crop for the next 5 years, Superman III: Tornado Scene.

While it all may seem very tongue and cheek and some what unrealistic, the simultaneous collapse of the financial markets due to fraudulent transactions combined with the failure of major Scada Systems would have a serious effect on a nation's stability. In 2002 the U.S. Naval War College conducted a study that concluded it would probably take about 5 years to plan and cost about 290 million dollars to plan a significant electronic attack.

Digital Stenography: The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves.

Infosectoday's article: Digital Steganography Threat or Hype: by James E. Wingate - Summary:
Use of steganography will never be detected if no one ever looks for it.

Oct 24, 2008 - Futures halted as trading enters `panic mode` The Financial Post

Related articles by Zemanta

• Obama's financial fraud task force has miles to go in restoring public confidence (dailyfinance.com)
• Madoff computer programmers arrested; could face 30 years in $60B fraud (dailyfinance.com)
• Cyber gang indicted (ecombizcenter.blogspot.com)
• Feds Launch Anti-Fraud Crackdown (huffingtonpost.com)

The National Interest online's article by Richard Clarke outlines the difficulties in of countries in protecting their economies from disruption of processing data that manages the controls of the nations power grid, fuel supply, or food supply chains, etc... or the ability for private commerce to perform business.

Although the article concentrates on the United States economy, it is a concern world wide that the electronic infrastructure that controls physical and logical stability of nations is fragile and vulnerable and that our systems are complex and perhaps too overly complex.

There is real concern that between nations that having the superiority to disable the other nations ability to perform commerce or defend it's controls on infrastructure that supplies services to it's citizens in times of political or resource conflict is way too much of an advantage, and then there is as Richard Clarke points out the "who dun it" piece.

Although I don't necessarily think that this is limited to cyber warfare, certainly in conventional warfare through covert activities groups have tried to blame conflicts on others not involved to escalate hostility between factions already at odds with each other.

As in the recent denial of service attacks in July, was it really who we thought it was or was it some one else trying to make it look like that. It is always not the recent notification or alert that may allow you to traverse an incident but being able to perform historical correlation on transactions that were allowed through trust environments.

The other point is although not discussed, usually, where are all the electronics made? Who makes all the components inside the equipment?

Richard Clarke -
"The major differences between cyber war and conventional war--one that makes the battlefield more perilous--is what cyber warriors call "the attribution problem." Put more simply, it is a matter of whodunit. In cyberspace, attackers can hide their identity, cover their tracks. Worse, they may be able to mislead, placing blame on others by spoofing the source."

"The "critical infrastructure" of the transportation, finance, energy and communications sectors are owned and operated by nongovernmental entities, corporations that have proven highly resistant to regulation. The Federal Energy Regulatory Commission (FERC) issued new cybersecurity guidelines to U.S. power companies in January 2008, requiring greater separation of the operations systems from the public Internet."

Richard Clarke was special adviser to the president for cybersecurity in the George W. Bush administration. He is now chairman of Good Harbor Consulting. His book Cyber War, coauthored with Robert Knake, will be published by HarperCollins in the spring.

National Interest Article on War from Cyber Space

On 11/2/2009 Microsoft published it's Security Intelligence Report.

Microsoft published that Windows XP users experienced significantly more security violations compared to Window Vista users and that the Conficker infections is the top threat in enterprise environments but not even in the top 10 in home computing environments.

Microsoft from their statistical data points out that there are differences in the types of threats per country while the U.S. and UK seem to have a high presence in Win32/Alureon and Win32/Vundo while some EU countries saw Win32/Wintrim as most active and in China Win32/BaiuSobar, Win32/Frethog also in Brazil it is Win32 Bancos.
Client side and Server Side Polymorphic Viruses seem to account for the large amount of the Virus Misc variations, polymorphic viruses can mutate its structure to avoid detection by antivirus programs. It can mutate usually by changing a variable or variables in its code without changing its overall algorithm.

There is a lot of interesting data published in this report that is about 232 pages long with information about organizations that are actively involved in mitigating exploits.

Microsoft Security Intelligence Report

References:
Conficker Working Group

Neil deGasse Tyson once said, "To a discoverer all data is valuable even bad data." When looking at data individually, you may believe that the data is not valuable and does not tell you anything. But, when combined with other types of information that are within a relevant time frame, the information becomes very valuablle and the more layers of information being presented more useful.

Some of the most valuable data that you get does not even come within the realm of logical data gathering. It is the information from outside of logical analysis of data which brings to mind Sam Walton's expression "I know what I know but tell me what you know." According to Kevin Mitnick, the most effective approach is to try to exploit the weakest link -- not operating systems, firewalls or encryption algorithms -- but people. In information security, knowing what is of value, where is it located, who has access to it, and what are the trust zones and controls that allow access to it is core to aligning information security with business goals.

Monitoring perimeter scans for known intruders and bogons is information that we all need, but knowing how trust zone can be compromised to gain access to valuable or confidential data is critical. It's the continual discovery process and breaking through the silos of knowledge and control that will help provide additional layers needed in developing an effective information security program.

Why is my executive office printer using https and ftp outbound traffic to a Home ISP DHCP range or using Goto My PC?

The Food and Drug Administration recently announced that the Office of the National Coordinator for Health Information Technology is launching the Sentinel Initiative with the ultimate goal of creating and implementing the Sentinel System - a national, integrated, electronic system for monitoring medical product safety.

The Sentinel System, which will be developed and implemented in stages will ultimately enable us to access the capabilities of multiple, existing data systems (e.g., electronic health record systems, medical claims databases) to augment the agency's current capability.

The goal is an understanding of adverse events resulting from treatment creating new methods of signal detection, data mining, and analysis, enabling researchers to generate hypotheses about, and confirm the existence and causal factors, of safety problems in the populations using the products.

Currently the focus has been to integrate data from various large populated databases, from MedSun ( Medical Product Product Safety Network), KIDnet (a postmarket database of pediatric ICU's and Neonatal ICU's), Heartnet (data gathered from electrophysiology laboratories), Labnet (data collected from hospital laboratories), SightNet (a collection of data from the use of ophthalmic devices), and HomeNet (a collection of data from home use devices). The FDA signed agreements with the Veterans Health Administration ( VHA) to build tools and infrastructures for evaluating the safety of drugs, biologics, and medical devices as well as the Department of Defense (DoD) for automated signal generation and data mining tools with the DoD's ALTHA electronic medical record system as well as identify influenza vaccine safety.

At the core of this collaboration is Information Technology, the (CCHIT) The Certification Commission for Healthcare Information Technology provides processes that provide interoperability for Electronic Healthcare Records (EHR). The Healthcare Information Technology Standards Panel (HITSP) provides interoperability specifications (HITSP C 32, 35, 36) to exchange patient data between Community Heath Centers they share ( HIE's or Health Care Information Exchange).

The Nationalwide Health Information Network (HHIN) is being developed to provide a national, secure and interoperable network. The network of networks will connect diverse entities at the state and regional (HIE's) that need to exchange health care information. The FDA is planning on using the HHIN existing framework to provide Sentinel access to diverse networks to retrieve data from a number of healthcare resources.

Healthcare IT services now interconnect patient health care medical devices that are local and remote to the health facility to Medical Device Data Systems (MDSS) that collect and store status and performance data from medical devices. The MDSS systems interconnect with EHR systems that connect to the Healthcare network (HIE) and the (HHIN) "network of networks" grid. The Holland & Hart Healthcare Law Blog article on Internet Medicine points out the challenges to the interoperability of medical devices to electronic health record systems and the proliferation of internet worms (Conflicker). Robert Nadler's article from RDN Consulting on Medical Devices provides a diagram and shows protocols used for the interoperability of connecting Medical Devices to the Health Care Network.

In another article from Ph.D. Rex Gantenbein from the University of Wyoming displays the Federated model of the HIE and its advantages.

Monitoring the efficiency and effectiveness of the control environment of HIE connections as well as the back end infrastructure to EHR systems and their trust relationships with medical data systems and connections to patient medical devices will require a strong information security program that is integrated within the IT Medical framework and the Medical Business supply chain. Prevention of Intrusions and Data Breaches will be an on-going lesson learned as data is liberated from applications and becomes more liquid and data silos are taken down. Medical data is valuable information for those that depend on it for survival. Imagine botnets that are able to infiltrate healthcare medical devices or has the ability to turn off medical monitoring equipment.

Links:
Health Information Technology (HealthIT).
Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information
The FDA Sentinel Initiative.
Common Framework for Networked Personal Health Information

Below are select areas I highlighted from the 76 page Whitehouse Cyberspace Policy Review document. Throughout the document, the review shows that it is clearly in favor of a national awareness programs and special consideration for the development of information security specialists and information technology specialists. In 2007 at the Gartner Risk Conference when CISO's and CIO's were asked where they would like to spend additional funding, the primary answer was on information security education and awareness programs.

There was a mutual feeling among many specialists in the Information Security field that the suggestions on creating a cyberspace official did not quite go far enough to resolving complex problems in the public, private, and government space, there were a lot of people that had hoped this office would report directly to the President and were disappointed in the recommendations regarding this.

The Whitehouse Cyberspace Policy review documents can be found here:
White House Cyber Space Policy Review

Cyber Review Documents

The December 2008 report by the Commission on Cybersecurity for the 44th Presidency states the challenge plainly: "America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration. The Present had ordered a "clean slate" review to asses U.S. polices and structures for cybersecurity. What is cyberspace according to the Presidential Directive 23 (NSPD-54/HSPD-23) defines cyberspace as the interdependent network of information technology includes, the internet, telecommunication networks, computer systems, embedded processors and controllers in critical issues."

The report estimates that in 2008 systemic loss of U.S. Economic value due to intellectual property data theft was nearly 1 trillion dollars.

"The President should consider appointing a cybersecurity policy official.
The cybersecurity policy official should not have operational responsibility or authority, nor the authority to make policy unilaterally."

"Many advisory bodies touch on cybersecurity-related issues, including the National Security and Telecommunications Advisory Committee (NSTAC), the
National Infrastructure Advisory Council (NIAC), the Critical Infrastructure Partnership Advisory Council (CIPAC), and the Information Security and Privacy Advisory Board (ISPAB). The cybersecurity policy official should review the responsibilities of these bodies and propose changes as necessary to optimize advice and eliminate unnecessary duplication."

"The cybersecurity policy official--in consultation with NSC, OMB, NEC, and OSTP--would define the milestones and success criteria and raise the visibility of cybersecurity within all agency budgets."

"The Nation should implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy. The public and private sectors' interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend."

"The Federal government, the private sector, and other stakeholders together should define technology-neutral performance and security objectives for future infrastructure, both to meet its own requirements as a consumer as well as in its capacity as a steward of the public interest."

"The Defense Advanced Research Project Agency (DARPA) describes defense of current Internet Protocol-based networks as a losing proposition and calls for an independent examination of alternate architectures."

Reference - DARPA Assurable Global Networking

Reference - Intrinsically Assurable mobile ad-hoc network (IAMANET)

"The Federal government--in collaboration with industry and the civil liberties and privacy communities--should build a cybersecurity-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through myriad information, services, and benefit programs and thus has an interest in the protection of the public's private information as well. Increased use of on-line transactions involving financial, health, and commerce require a basis for building trust between the parties to a transaction."

Near Term Action Plan:

1. "Appoint a cybersecurity policy official responsible for coordinating the Nation's cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy."

2. "Prepare for the President's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes."

3. "Designate cybersecurity as one of the President's key management priorities and establish performance metrics."

4. "Designate a privacy and civil liberties official to the NSC cybersecurity directorate."

5. "Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government."

6. "Initiate a national public awareness and education campaign to promote cybersecurity."

7. "Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity."

8. "Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement."

9. "In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions."

10. "Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation."